Patch FlightReplyServer with fixes from ReactFlightClient

[sebmarkbage]

FlightReplyServer are for client->server and ReactFlightClient is for server->client. They're not 100% symmetrical.

We did a number of refactors to ReactFlightClient in PRs like #29823 and #33664 to change the structure of the resolution. This PR brings those changes to synchronize the two approaches. Which addresses deep resolution of cycles and deferred error handling.

This also fixes a critical security vulnerability.

[react-sizebot]

Comparing: 36df5e8...e2fd5dc

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	=	608.36 kB	608.36 kB	=	107.68 kB	107.68 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	=	667.47 kB	667.47 kB	=	117.57 kB	117.57 kB
facebook-www/ReactDOM-prod.classic.js	=	693.67 kB	693.67 kB	=	122.06 kB	122.06 kB
facebook-www/ReactDOM-prod.modern.js	=	684.10 kB	684.10 kB	=	120.45 kB	120.45 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.76%	94.85 kB	103.16 kB	+7.05%	19.44 kB	20.81 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.76%	94.85 kB	103.16 kB	+7.05%	19.44 kB	20.81 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.72%	98.46 kB	107.04 kB	+6.91%	20.20 kB	21.59 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.72%	98.46 kB	107.04 kB	+6.91%	20.20 kB	21.59 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.68%	95.99 kB	104.32 kB	+6.96%	19.70 kB	21.07 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.68%	95.99 kB	104.32 kB	+6.96%	19.70 kB	21.07 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.60%	96.70 kB	105.01 kB	+6.90%	19.81 kB	21.18 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.56%	100.31 kB	108.90 kB	+6.80%	20.57 kB	21.97 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.52%	97.84 kB	106.17 kB	+6.80%	20.10 kB	21.46 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.48%	102.29 kB	110.97 kB	+6.92%	20.73 kB	22.16 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.48%	102.29 kB	110.97 kB	+6.92%	20.73 kB	22.16 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.33%	104.15 kB	112.82 kB	+6.78%	21.09 kB	22.52 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+8.11%	101.91 kB	110.18 kB	+6.52%	20.57 kB	21.91 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+8.11%	101.91 kB	110.18 kB	+6.52%	20.57 kB	21.91 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+8.08%	102.26 kB	110.53 kB	+6.43%	20.67 kB	22.00 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+8.08%	102.26 kB	110.53 kB	+6.43%	20.67 kB	22.00 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+8.04%	103.07 kB	111.35 kB	+6.42%	20.87 kB	22.21 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+8.04%	103.07 kB	111.35 kB	+6.42%	20.87 kB	22.21 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+8.04%	103.07 kB	111.36 kB	+6.41%	20.87 kB	22.21 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+8.04%	103.07 kB	111.36 kB	+6.41%	20.87 kB	22.21 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.98%	108.37 kB	117.01 kB	+6.47%	21.67 kB	23.07 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.98%	108.37 kB	117.01 kB	+6.47%	21.67 kB	23.07 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+7.97%	103.76 kB	112.03 kB	+6.13%	21.01 kB	22.30 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+7.94%	104.12 kB	112.38 kB	+6.11%	21.11 kB	22.40 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+7.90%	104.92 kB	113.21 kB	+6.01%	21.31 kB	22.59 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+7.90%	104.92 kB	113.21 kB	+6.00%	21.31 kB	22.59 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.89%	109.42 kB	118.05 kB	+6.29%	21.92 kB	23.30 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.89%	109.42 kB	118.05 kB	+6.29%	21.92 kB	23.30 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.89%	109.44 kB	118.07 kB	+6.27%	21.92 kB	23.30 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.89%	109.44 kB	118.07 kB	+6.27%	21.92 kB	23.30 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.84%	110.22 kB	118.87 kB	+6.35%	22.05 kB	23.45 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.76%	111.27 kB	119.91 kB	+5.97%	22.34 kB	23.68 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.76%	111.29 kB	119.92 kB	+5.95%	22.35 kB	23.68 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.93%	187.27 kB	196.50 kB	+4.18%	34.00 kB	35.42 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.93%	187.27 kB	196.50 kB	+4.18%	34.00 kB	35.42 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.87%	189.37 kB	198.60 kB	+4.05%	34.46 kB	35.85 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.85%	190.94 kB	200.19 kB	+4.10%	34.50 kB	35.92 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.85%	190.94 kB	200.19 kB	+4.10%	34.50 kB	35.92 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.79%	193.03 kB	202.28 kB	+3.97%	34.96 kB	36.35 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.70%	195.12 kB	204.28 kB	+3.84%	35.38 kB	36.74 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.70%	195.12 kB	204.28 kB	+3.84%	35.38 kB	36.74 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.69%	195.59 kB	204.76 kB	+3.86%	35.48 kB	36.85 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.69%	195.59 kB	204.76 kB	+3.86%	35.48 kB	36.85 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.65%	197.22 kB	206.39 kB	+3.78%	35.81 kB	37.17 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.64%	197.69 kB	206.86 kB	+3.82%	35.91 kB	37.28 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.81%	35.87 kB	37.23 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.81%	35.87 kB	37.23 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.79%	35.87 kB	37.23 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.79%	35.87 kB	37.23 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.57%	200.91 kB	210.10 kB	+3.77%	36.30 kB	37.67 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.57%	200.91 kB	210.10 kB	+3.76%	36.30 kB	37.67 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.45%	213.53 kB	223.03 kB	+3.57%	38.89 kB	40.28 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.45%	213.53 kB	223.03 kB	+3.57%	38.89 kB	40.28 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.41%	215.62 kB	225.12 kB	+3.51%	39.35 kB	40.73 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.37%	219.95 kB	229.55 kB	+3.30%	39.56 kB	40.87 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.37%	219.95 kB	229.55 kB	+3.30%	39.56 kB	40.87 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.33%	222.04 kB	231.64 kB	+3.27%	40.02 kB	41.33 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.22%	226.66 kB	236.22 kB	+3.15%	40.64 kB	41.92 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.22%	226.66 kB	236.22 kB	+3.15%	40.64 kB	41.92 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.19%	227.87 kB	237.41 kB	+3.12%	40.94 kB	42.22 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.19%	227.87 kB	237.41 kB	+3.12%	40.94 kB	42.22 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.19%	227.92 kB	237.46 kB	+3.10%	40.94 kB	42.20 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.19%	227.92 kB	237.46 kB	+3.10%	40.94 kB	42.20 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.18%	228.75 kB	238.31 kB	+3.11%	41.10 kB	42.38 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.15%	229.96 kB	239.50 kB	+3.09%	41.40 kB	42.67 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.15%	230.01 kB	239.55 kB	+3.07%	41.39 kB	42.66 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.76%	94.85 kB	103.16 kB	+7.05%	19.44 kB	20.81 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.76%	94.85 kB	103.16 kB	+7.05%	19.44 kB	20.81 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.72%	98.46 kB	107.04 kB	+6.91%	20.20 kB	21.59 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.72%	98.46 kB	107.04 kB	+6.91%	20.20 kB	21.59 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.68%	95.99 kB	104.32 kB	+6.96%	19.70 kB	21.07 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.68%	95.99 kB	104.32 kB	+6.96%	19.70 kB	21.07 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.production.js	+8.60%	96.70 kB	105.01 kB	+6.90%	19.81 kB	21.18 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.js	+8.56%	100.31 kB	108.90 kB	+6.80%	20.57 kB	21.97 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.production.js	+8.52%	97.84 kB	106.17 kB	+6.80%	20.10 kB	21.46 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.48%	102.29 kB	110.97 kB	+6.92%	20.73 kB	22.16 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.48%	102.29 kB	110.97 kB	+6.92%	20.73 kB	22.16 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.production.js	+8.33%	104.15 kB	112.82 kB	+6.78%	21.09 kB	22.52 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+8.11%	101.91 kB	110.18 kB	+6.52%	20.57 kB	21.91 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+8.11%	101.91 kB	110.18 kB	+6.52%	20.57 kB	21.91 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+8.08%	102.26 kB	110.53 kB	+6.43%	20.67 kB	22.00 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+8.08%	102.26 kB	110.53 kB	+6.43%	20.67 kB	22.00 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+8.04%	103.07 kB	111.35 kB	+6.42%	20.87 kB	22.21 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+8.04%	103.07 kB	111.35 kB	+6.42%	20.87 kB	22.21 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+8.04%	103.07 kB	111.36 kB	+6.41%	20.87 kB	22.21 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+8.04%	103.07 kB	111.36 kB	+6.41%	20.87 kB	22.21 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.98%	108.37 kB	117.01 kB	+6.47%	21.67 kB	23.07 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.98%	108.37 kB	117.01 kB	+6.47%	21.67 kB	23.07 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.js	+7.97%	103.76 kB	112.03 kB	+6.13%	21.01 kB	22.30 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.js	+7.94%	104.12 kB	112.38 kB	+6.11%	21.11 kB	22.40 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.js	+7.90%	104.92 kB	113.21 kB	+6.01%	21.31 kB	22.59 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.js	+7.90%	104.92 kB	113.21 kB	+6.00%	21.31 kB	22.59 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.89%	109.42 kB	118.05 kB	+6.29%	21.92 kB	23.30 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.89%	109.42 kB	118.05 kB	+6.29%	21.92 kB	23.30 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.89%	109.44 kB	118.07 kB	+6.27%	21.92 kB	23.30 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.89%	109.44 kB	118.07 kB	+6.27%	21.92 kB	23.30 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.js	+7.84%	110.22 kB	118.87 kB	+6.35%	22.05 kB	23.45 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js	+7.76%	111.27 kB	119.91 kB	+5.97%	22.34 kB	23.68 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.js	+7.76%	111.29 kB	119.92 kB	+5.95%	22.35 kB	23.68 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.93%	187.27 kB	196.50 kB	+4.18%	34.00 kB	35.42 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.93%	187.27 kB	196.50 kB	+4.18%	34.00 kB	35.42 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+4.87%	189.37 kB	198.60 kB	+4.05%	34.46 kB	35.85 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.85%	190.94 kB	200.19 kB	+4.10%	34.50 kB	35.92 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.85%	190.94 kB	200.19 kB	+4.10%	34.50 kB	35.92 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+4.79%	193.03 kB	202.28 kB	+3.97%	34.96 kB	36.35 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.70%	195.12 kB	204.28 kB	+3.84%	35.38 kB	36.74 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.70%	195.12 kB	204.28 kB	+3.84%	35.38 kB	36.74 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.69%	195.59 kB	204.76 kB	+3.86%	35.48 kB	36.85 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.69%	195.59 kB	204.76 kB	+3.86%	35.48 kB	36.85 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+4.65%	197.22 kB	206.39 kB	+3.78%	35.81 kB	37.17 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+4.64%	197.69 kB	206.86 kB	+3.82%	35.91 kB	37.28 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.81%	35.87 kB	37.23 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.81%	35.87 kB	37.23 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.79%	35.87 kB	37.23 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.62%	198.82 kB	208.01 kB	+3.79%	35.87 kB	37.23 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+4.57%	200.91 kB	210.10 kB	+3.77%	36.30 kB	37.67 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+4.57%	200.91 kB	210.10 kB	+3.76%	36.30 kB	37.67 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.45%	213.53 kB	223.03 kB	+3.57%	38.89 kB	40.28 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.45%	213.53 kB	223.03 kB	+3.57%	38.89 kB	40.28 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+4.41%	215.62 kB	225.12 kB	+3.51%	39.35 kB	40.73 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.37%	219.95 kB	229.55 kB	+3.30%	39.56 kB	40.87 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.37%	219.95 kB	229.55 kB	+3.30%	39.56 kB	40.87 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+4.33%	222.04 kB	231.64 kB	+3.27%	40.02 kB	41.33 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.22%	226.66 kB	236.22 kB	+3.15%	40.64 kB	41.92 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.22%	226.66 kB	236.22 kB	+3.15%	40.64 kB	41.92 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.19%	227.87 kB	237.41 kB	+3.12%	40.94 kB	42.22 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.19%	227.87 kB	237.41 kB	+3.12%	40.94 kB	42.22 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.19%	227.92 kB	237.46 kB	+3.10%	40.94 kB	42.20 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.19%	227.92 kB	237.46 kB	+3.10%	40.94 kB	42.20 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+4.18%	228.75 kB	238.31 kB	+3.11%	41.10 kB	42.38 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+4.15%	229.96 kB	239.50 kB	+3.09%	41.40 kB	42.67 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+4.15%	230.01 kB	239.55 kB	+3.07%	41.39 kB	42.66 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.production.js	+0.29%	58.58 kB	58.75 kB	+0.47%	11.50 kB	11.55 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.production.js	+0.29%	58.58 kB	58.75 kB	+0.47%	11.50 kB	11.55 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.production.js	+0.29%	58.58 kB	58.75 kB	+0.47%	11.50 kB	11.55 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.production.js	+0.26%	64.11 kB	64.28 kB	+0.42%	12.71 kB	12.76 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.production.js	+0.26%	64.11 kB	64.28 kB	+0.42%	12.71 kB	12.76 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.production.js	+0.26%	64.11 kB	64.28 kB	+0.42%	12.71 kB	12.76 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.production.js	+0.25%	68.44 kB	68.61 kB	+0.37%	13.34 kB	13.39 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.production.js	+0.25%	68.44 kB	68.61 kB	+0.37%	13.34 kB	13.39 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.production.js	+0.25%	68.44 kB	68.61 kB	+0.37%	13.34 kB	13.39 kB

Generated by 🚫 dangerJS against e2fd5dc

[sebmarkbage]

TL;DR: If you are using React Server Components you really must upgrade.

More information in Critical Security Vulnerability in React Server Components.

This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.

[jschauma]

We did a number of refactors ...
This also fixes a critical security vulnerability.

With this combined commit, people now have to go through a >1500 line patch to try to understand the security relevant changes.

Going forward, it would be preferable if code changes for a critical security vulnerability could be committed separately from other changes. :-)

[sebmarkbage]

Further details of the vulnerability will be provided after the rollout of the fix is complete.

[justinrest]

the meta

[rickhanlonii]

@szybnev that PoC is not valid, the server in that PoC is faked to respond.

[matija2209]

We did a number of refactors ...
This also fixes a critical security vulnerability.

With this combined commit, people now have to go through a >1500 line patch to try to understand the security relevant changes.

Going forward, it would be preferable if code changes for a critical security vulnerability could be committed separately from other changes. :-)

Probably with a reason. You do not want to make it easier to reverse engineer. What we see, they see.

[macropin]

Will the fix be backported to older major versions, or are they not vulnerable?

[eps1lon]

There are no react-server-dom-* packages before 19.0 at all. The affected packages and versions are included in GHSA-fv66-9v8q-g76r.

Neither react nor react-dom packages are vulnerable.

[sebmarkbage]

These hasOwnProperty checks were the ones that were missing. This is the critical fix. Without it, you can drill into objects not created by the parser itself.

The rest is mainly protecting against other gadgets and to slow down reverse engineering just a bit (which seems to have been somewhat effective especially with llms).

[KernelDeimos]

Could this have also been solved by re-creating an object's own properties on a new object with a null prototype? If I'm not missing something, I imagine that would avoid the "shotgun surgery" of ensuring .hasOwnProperty guards anywhere which the object's properties are traversed.

[sebmarkbage]

This is the other one.

The ones on the module is not that critical but good to have.

[AlexDev404]

We did a number of refactors ...
This also fixes a critical security vulnerability.

With this combined commit, people now have to go through a >1500 line patch to try to understand the security relevant changes.

Going forward, it would be preferable if code changes for a critical security vulnerability could be committed separately from other changes. :-)

It was disclosed to the React team since November 29, 2025--so it's something I'd say quite a few people have reviewed already--we're just seeing it now, because they most likely already coordinated what they're going to do.

[jschauma]

It was disclosed to the React team since November 29, 2025--so it's something I'd say quite a few people have reviewed already--we're just seeing it now, because they most likely already coordinated what they're going to do.

That's not the point, though.

The issue here is that sliding in a security fix with a refactor makes it difficult for anybody to whom it has not yet been disclosed to understand the vulnerability, to develop their defenses, and for the historical record to be obscured. It is not uncommon for a vulnerability fix to be incomplete and later require additional follow-up, or for a future reference to a given code fix. This is all made more difficult here.

If the concern is disclosure, then the vulnerability could be kept under embargo and patching be done with coordination (as was and still is being done, and which I appreciate), but lifting an embargo and then trying to keep the actual vulnerability obscured only leads to wasted cycles on the defenders' side (see also the large number of AI slopped "PoC"s and poorly understand speculation).

Vulnerability disclosure can be done in multiple stages, but when actual public disclosure is done, it's best to be specific and clear at that point.

[AlexDev404]

It was disclosed to the React team since November 29, 2025--so it's something I'd say quite a few people have reviewed already--we're just seeing it now, because they most likely already coordinated what they're going to do.

That's not the point, though.

The issue here is that sliding in a security fix with a refactor makes it difficult for anybody to whom it has not yet been disclosed to understand the vulnerability, to develop their defenses, and for the historical record to be obscured. It is not uncommon for a vulnerability fix to be incomplete and later require additional follow-up, or for a future reference to a given code fix. This is all made more difficult here.

There was no "sliding" of any security fix. The person went through all of the steps of responsibly disclosing the vulnerability and it was released just as any other critical vulnerability. Haven't you been keeping yourself updated with the news? If not, I can for sure see why you'd say something like this.

If the concern is disclosure, then the vulnerability could be kept under embargo and patching be done with coordination (as was and still is being done, and which I appreciate), but lifting an embargo and then trying to keep the actual vulnerability obscured only leads to wasted cycles on the defenders' side (see also the large number of AI slopped "PoC"s and poorly understand speculation).

It's a CVE--the point of it is to go public. I don't think you understand. React is an open-source project, not proprietary. So secretly pushing in a patch and then telling everyone after would defeat the entire purpose of it being an open source project. Also how would you "propose" they do so with React being an NPM package and not a piece of software you can just update? To disclose or not disclose would be irrelevant, as anyone bright enough could easily find out what the changes were.

Vulnerability disclosure can be done in multiple stages, but when actual public disclosure is done, it's best to be specific and clear at that point.

The changes are very clean, and very minimal. IMO only someone who doesn't have a clue about how React works would say something like this. They've been very active in telling everyone essential about what's going on. So just because they didn't tell you to update your hobby project, doesn't give you the right to just come here and think you can get all like this.

[DogRespector93]

It was disclosed to the React team since November 29, 2025--so it's something I'd say quite a few people have reviewed already--we're just seeing it now, because they most likely already coordinated what they're going to do.

That's not the point, though.
The issue here is that sliding in a security fix with a refactor makes it difficult for anybody to whom it has not yet been disclosed to understand the vulnerability, to develop their defenses, and for the historical record to be obscured. It is not uncommon for a vulnerability fix to be incomplete and later require additional follow-up, or for a future reference to a given code fix. This is all made more difficult here.

There was no "sliding" of any security fix. The person went through all of the steps of responsibly disclosing the vulnerability and it was released just as any other critical vulnerability. Haven't you been keeping yourself updated with the news? If not, I can for sure see why you'd say something like this.

If the concern is disclosure, then the vulnerability could be kept under embargo and patching be done with coordination (as was and still is being done, and which I appreciate), but lifting an embargo and then trying to keep the actual vulnerability obscured only leads to wasted cycles on the defenders' side (see also the large number of AI slopped "PoC"s and poorly understand speculation).

It's a CVE--the point of it is to go public. I don't think you understand. React is an open-source project, not proprietary. So secretly pushing in a patch and then telling everyone after would defeat the entire purpose of it being an open source project. Also how would you "propose" they do so with React being an NPM package and not a piece of software you can just update? To disclose or not disclose would be irrelevant, as anyone bright enough could easily find out what the changes were.

Vulnerability disclosure can be done in multiple stages, but when actual public disclosure is done, it's best to be specific and clear at that point.

The changes are very clean, and very minimal. IMO only someone who doesn't have a clue about how React works would say something like this. They've been very active in telling everyone essential about what's going on. So just because they didn't tell you to update your hobby project, doesn't give you the right to just come here and think you can get all like this.

Hey, for real, you do not have to be rude to someone asking polite, critical-thinking-oriented questions about how and why developers make certain choices in their project. It is not a status symbol to bully other coders doing "hobby projects" because you think it'll impress other devs. Your attitude makes the actual hardworking React teams look bad, not good. Your projects are easily just as "hobby" as theirs, and that's fine! You aren't managing some enterprise project- you're exploring - and anyone with experience doing it professionally knows attitudes like yours are caustic to progress.

They asked legitimate questions. You can say, "This isn't really the forum for these kinds of questions, and I don't actually know the answer, but here's a good place to ask: ", and no one will think any less of you.

[AlexDev404]

It was disclosed to the React team since November 29, 2025--so it's something I'd say quite a few people have reviewed already--we're just seeing it now, because they most likely already coordinated what they're going to do.

That's not the point, though.
The issue here is that sliding in a security fix with a refactor makes it difficult for anybody to whom it has not yet been disclosed to understand the vulnerability, to develop their defenses, and for the historical record to be obscured. It is not uncommon for a vulnerability fix to be incomplete and later require additional follow-up, or for a future reference to a given code fix. This is all made more difficult here.

There was no "sliding" of any security fix. The person went through all of the steps of responsibly disclosing the vulnerability and it was released just as any other critical vulnerability. Haven't you been keeping yourself updated with the news? If not, I can for sure see why you'd say something like this.

If the concern is disclosure, then the vulnerability could be kept under embargo and patching be done with coordination (as was and still is being done, and which I appreciate), but lifting an embargo and then trying to keep the actual vulnerability obscured only leads to wasted cycles on the defenders' side (see also the large number of AI slopped "PoC"s and poorly understand speculation).

It's a CVE--the point of it is to go public. I don't think you understand. React is an open-source project, not proprietary. So secretly pushing in a patch and then telling everyone after would defeat the entire purpose of it being an open source project. Also how would you "propose" they do so with React being an NPM package and not a piece of software you can just update? To disclose or not disclose would be irrelevant, as anyone bright enough could easily find out what the changes were.

Vulnerability disclosure can be done in multiple stages, but when actual public disclosure is done, it's best to be specific and clear at that point.

The changes are very clean, and very minimal. IMO only someone who doesn't have a clue about how React works would say something like this. They've been very active in telling everyone essential about what's going on. So just because they didn't tell you to update your hobby project, doesn't give you the right to just come here and think you can get all like this.

Hey, for real, you do not have to be rude to someone asking polite, critical-thinking-oriented questions about how and why developers make certain choices in their project. It is not a status symbol to bully other coders doing "hobby projects" because you think it'll impress other devs. Your attitude makes the actual hardworking React teams look bad, not good. Your projects are easily just as "hobby" as theirs, and that's fine! You aren't managing some enterprise project- you're exploring - and anyone with experience doing it professionally knows attitudes like yours are caustic to progress.

I think you're misunderstanding, because I never said hobby project as if it was something bad. I assumed that that person created something using React for their own personal usage, and was upset by the fact that they never got notified about the issue. And so I think you're heavily inferring on something that wasn't the case.

They asked legitimate questions. You can say, "This isn't really the forum for these kinds of questions, and I don't actually know the answer, but here's a good place to ask: ", and no one will think any less of you.

They never asked any questions, and instead made targeted jabs as to what was happening. If they just made questions, this probably never would've happened.

See the attached thread for further context on their messages